OpenBSD Local Root Exploit

06/18/2001

Welcome to Security Alerts, an overview of recent Unix and open-source security advisories.

In this column, we look at a race condition in the OpenBSD kernel; cross-site request forgeries; a new version of tcpdump; buffer overflows in rxvt, fetchmail, the HP-UX implementation of CDE, and UW-IMAP; a symbolic-link race condition in mandb; and vulnerabilities in SITEWare Editor's Desktop, Apache under Mac OS X client, LPRng, Caldera's Volution, and Slackware 7.1's /etc/shells.

OpenBSD versions 2.8 and 2.9 are vulnerable to a race condition in the kernel that can be exploited to execute arbitrary code as the root user. An exploit has been publicly distributed. This vulnerability is similar to the ptrace exploit of the Linux kernel that was announced a few months ago. It is unclear what versions, if any, of FreeBSD and NetBSD may be vulnerable to this exploit.

Users of OpenBSD should apply the source code patch to repair the vulnerability. Users of FreeBSD and NetBSD should watch for announcements and patches.

Cross-site request forgeries are a new type of attack against web-based applications. They use HTML tags to hide an URL that will be processed by the client application without the user's knowledge or permission. Examples of client applications include web browsers, email clients, and news readers that process inline HTML code.

This type of attack is enacted by inserting an URL into an <img> tag that causes an action on a web application. When the client application parses the page, it will query the URL inside the image attack in an attempt to download an image. This instead causes an action in a web application. Attacks that use this method can use a user's cookies or saved passwords and will appear to the web application as being initiated by the user.

Most methods of protection from this type of attack will have to be provided by the makers of the client applications. However, some things users can do to lower their vulnerability include: using an email client that does not render HTML, not using a newsgroup reader that is embedded in your web browser, being careful about what passwords your browser saves, and logging off any important web sites.

The rxvt X-Windows terminal emulator, has a locally-exploitable buffer overflow that can be used to gain additional privileges. Version 2.6.2 was reported to be vulnerable; version 2.6.3 may also be vulnerable, as there is no mention of this problem in the changelog file. An exploit script has been publicly released.

Users should remove any set user ID or set group ID bits from rxvt until it has been patched.

A new version of tcpdump, a network monitoring tool, has been released. This new version fixes several remote buffer overflows and a vulnerability with decoding AFS ACL packets, which could be used to execute arbitrary code on the machine running tcpdump with the permissions of the root user.

All users of tcpdump should upgrade to version 3.6.2 as soon as possible.

A vulnerability in the SITEWare Editor's Desktop, a web-based administration tool for ScreamingMedia content, has a vulnerability that can be used by an attacker to retrieve arbitrary files, such as the unencrypted password file from a ScreamingMedia server.

The HP-UX implementation of the Common Desktop Environment (CDE) contains buffer overflows that can be exploited to gain root permissions. These buffer overflows are present in HP-UX 10.10, 10.20, 10.24, 11.00, 11.04, and 11.11.

Users should apply the appropriate patch from HP for their version of HP-UX.

UW-IMAP, the IMAP (Internet Message Access Protocol) server from the University of Washington, has several buffer overflows that can be exploited by an authorized user to gain access to a remote interactive shell running as the user. Systems that provide interactive shells to users are not affected by this problem.

Under some conditions, Apache on the client version of Mac OS X will not protect directories from view or script execution despite being configured to do so. This problem only affects directories mounted on a HFS+ volume. Mac OS X Server ships with a mod_hfs_apple.so Apache module that corrects this problem, but this module is not available as source or as part of the Apache distribution.

A workaround for this problem is to place all of the directories that need to be protected on a UFS volume. Users should watch Apple for a patch to solve this problem.

Slackware 7.1 installs the file /etc/shells with world-writable permissions. This can be exploited by a local user to deny other users access and, in the case of a user with a restricted shell, may be used to increase their access.

It is recommended that users correct the permissions of the /etc/shells file.